Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Database Performance Analyzer (DPA) > DPA user authentication and permissions using LDAP

DPA user authentication and permissions using LDAP

Updated March 11th, 2016 

Overview

This article describes how to authenticate an Active Directory user and their permissions using LDP in the following sections:

  • Initially set up DPA to connect to LDAP
  • Configure authentication and permissions for groups of users
  • Logging in using LDAP
  • Troubleshooting

 

Starting with DPA/Ignite 8.3.300 and later, DPA integrates with most LDAP implementations to allow domain users to log in to DPA without duplicating user credentials inside of DPA.

Note: At this time, only Active Directory integration is officially supported, but it will likely work with other LDAP implementations as well. If you plan on using Active Directory as your LDAP implementation, refer to DPA user authentication and permissions using Active Directory.

 

With LDAP authentication configured, users can login with their domain account as well as with an DPA "custom user" account.

LDAP has the ability to group users, where each user can belong to multiple groups. DPA leverages the grouping mechanism by assigning permissions to groups within DPA.

 

Environment

  • DPA 9.0 - 10.1
  • Ignite 8.3 and later

For DPA 10.2 and later, use the configuration wizard under Options > Administration > Configure.

Steps

Set up DPA to connect to LDAP

  1. Gather LDAP connection information.
    • LDAP server URL(s): Determine the server, full domain name and port of your server. Typically, this looks like:
      ldap://{server}.{fullDomainName}: {portNumber}
      For example, ldap://server1.domain.com:389 
    • SSL: DPA supports SSL connections to AD.  To use SSL, specify the URL using ldaps://... and the corresponding port. For more information regarding SSL, see Configure DPA with LDAP over SSL below.
      Note on port: Typically the port for connecting to LDAP is 389 and 636 for LDAPS.
    • LDAP server failover is supported in DPA by allowing you to specify multiple URLs However, if your LDAP is set up using round robin, you may only need one URL.
    • LDAP Base DN: or top level of your directory tree:
      For example, DC=domain, DC=local
    • Domain Username and Password (aka Manager Account) that DPA will use to query the LDAP server for users and groups. Preferably, provide a user whose password does not expire.  For the user name, you can use one of these formats (upper or lower case does not matter):
    • Distinguished Name (preferred): the user’s full “distinguished name” (DN)
      For example:     
      1. cn=Bob Smith,cn=Users,dc=domain,dc=local
      2. cn=Bob Smith,ou=Users,dc=domain,dc=com
  2. ​​ Edit the system.properties file:
    • {install directory}\iwc\tomcat\ignite_config\idc\system.properties
      OR
    • {install directory}/iwc/tomcat/ignite_config/idc/system.properties   (for UNIX or Linux)
  3. Add entries to the system.properties file.

    If you upgraded DPA from an older version then these properties will need to be added. If this is a new installation of DPA 8.3 or higher, then the entries will already exist so just uncomment them and fill in the values. Yellow indicates connection information provided by you.

    The following is an example when using LDAP. Depending on your LDAP implementation, some properties may require different values:

    ## Enable AD/LDAP
    com.confio.security.ldap.enabled=true

    ## AD/LDAP Server Info
    com.confio.security.ldap.serverUrl1=ldap://{ldap.url}: {port}
    com.confio.security.ldap.serverUrl2=
    com.confio.security.ldap.baseDn={your BaseDN}

    ## LDAP Specific

    com.confio.security.ldap.isActiveDirectory=false
    com.confio.security.ldap.binaryAttributes=
    com.confio.security.ldap.authPopulator.userAttributes=uid
    com.confio.security.ldap.authPopulator.groupSearchFilter=(&(|(objectClass=posixGroup)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))(|(memberUid={1})(member={0})(uniqueMember={0})))
    com.confio.security.ldap.userSearch.searchFilter=(&(objectClass=inetorgperson)(uid={0}))
    com.confio.security.ldap.dao.ignorePartialResultException=false
    com.confio.security.ldap.dao.groupQuery=(&(|(objectClass=posixGroup)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))(cn={0}))
    com.confio.security.ldap.domain.component=infer

    ## LDAP Manager Account (Domain User)
    ## Or the FQDN (fully qualified domain name): CN=User Name,CN=Users,DC=domain,DC=com)
    com.confio.security.ldap.manager.dn.user={domain user name}

    ## Note: Plain text password will be encrypted when DPA is restarted
    com.confio.security.ldap.manager.dn.password={domain user password}

    ## Optional, only change if you are having performance problems.
    ## If you have a single domain and all users are in 1 folder, you
    ## can set this value to the folder where you would like to start
    ## searching (e.g. CN=Users). This may decrease the time it takes
    ## for DPA to authenticate a user.
    ## This property is relative to baseDn.
    #com.confio.security.ldap.userSearch.searchBase=

    ## For use with LDAPS://
    ## Use forward slashes for both windows and linux
    ## Example: javax.net.ssl.trustStore=C:/Program Files (x86)/SolarWinds/Ignite PI/iwc/tomcat/conf/.keystore
    #javax.net.ssl.trustStore={install directory}/iwc/tomcat/conf/.keystore
    #javax.net.ssl.trustStorePassword=changeit

    ## If you are using a PKCS #12 (pfx) file to store your certificate, uncomment the following line:
    #javax.net.ssl.trustStoreType=PKCS12

    Note: It is important that the com.confio.security.ldap.baseDn property does not contain any spaces.The default password for javax.net.ssl.trustStorePassword is changeit. If you are using the default, you can leave the line commented out.

  4. Configure DPA with LDAP over SSL. If you wish to use LDAP with SSL, you will need to do the following:

    1. Uncomment the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties above and fill in the appropriate values.

    2. Change the com.confio.security.ldap.serverUrl1 to use ldaps and the SSL port. Typically this is 636.
       com.confio.security.ldap.serverUrl1=ldaps://{ldap.url}:{port}
    3. Import the LDAPS certificate into DPA.
      1. Run the DPA Certificate Importer Utility (IgniteCertImporter.jar). If you are running DPA/Ignite 8.3.200 or higher, the utility can be found in the following directory:
        {install directory}\iwc\tomcat\conf (for Windows)
        {install directory}/iwc/tomcat\conf (for UNIX or Linux)

        If the IgniteCertImporter.jar file does not exist in the folder listed above, it can be downloaded here: IgniteCertImporter.zip. Once downloaded, unzip it in your {install directory}.
      2. To run the application, open a command line, change to the directory where IgniteCertImporter.jar resides (ex: {install directory}/iwc/tomcat/conf) and type the following:

         java -jar IgniteCertImporter.jar

        The program will walk you through all of the steps for obtaining a certificate from your LDAP server.

      3. Skip to Step 5 and continue.

      4. If for some reason the Certificate Importer utility did not work, manually import the LDAPS certificate into DPA's keystore.
        • The keytool can be found in {install directory}\iwc\jre\bin" or "{install directory}/iwc/jre/bin.
        • The keystore can be found in {install directory}\iwc\tomcat\conf\.keystore or {install directory}/iwc/tomcat/conf/.keystore.
        • The import command is:
          {install directory}/iwc/jre/bin/keytool -import -keystore {install directory}/iwc/tomcat/conf/.keystore -alias igniteLdaps -file {pathtocertificate}/client509.cer -storepass changeit
          You can choose any alias name you want. It will be used to manage that certificate in the keystore.
  5. Restart DPA.
  6. Verify that the connection properties are correct:

    a. Login to DPA as an administrator.

    b. Click the Options menu, then theAdministration tab, and then the User Administration button.

    c. On the User Administration page, click Add LDAP Group.

    d. Click the Search for a Group button.

    e. On the Search for Group dialog, type the name (or part of the name) of a group (e.g. “domain”) and then click the Search button.

    • If results are returned, then LDAP is configured correctly. See below for information about configuring authentication groups.
    • If an error occurs, double check your configuration values in system.properties. If you are certain that you have configured the properties correctly, you can check the {install directory}\iwc\tomcat\logs\auth.log file for more information.

Configure authentication and permissions

After you have set up DPA to use AD/LDAP, do the following:

  1. In LDAP, determine which group(s) contain the users that you wish to grant access to DPA. You might need to create a group if a suitable group does not exist.
  2. In DPA, click the Options menu, then the Administration tab, and then click User Administration.
  3. Click Add LDAP Group.
  4. Click Search for a Group.
  5. Enter the group name then press Search to find and select the group you want.
  6. Assign privileges to the group, just as you would for a user. This essentially assigns those permissions to the domain users who are members of the group. Note: DPA does not currently support single signon for Individual accounts. It supports only LDAP Groups at this time.
  7. Press Save.

All domain users in the selected group will immediately be able to login to DPA using their domain user name and password and will have the privileges that you set up for the group in DPA.

You can add multiple AD/LDAP groups in DPA. If a domain user is a member of more than one group, DPA will grant them the combined privileges from all of their groups.

Log in using LDAP

When LDAP is configured in DPA, the user name and password entered in the DPA login screen are first used to attempt to login as an DPA custom user.  If not found, DPA will then attempt to authenticate to LDAP by first searching for a matching user name and then authenticating using the supplied password. The user name used by DPA is the LDAP user object uid attribute.

Troubleshooting

Do you see the following error message in the iwc.log file when attempting to search for groups, or when logging in as an LDAP user?

ERROR (2016-11-14 17:12:16,406.MST) [http-nio-8124-exec-5] DefaultIgniteExceptionLogger - An unexpected error occurred from com.confio.iwc.user.UserServiceImpl.getLimitedGroupsFromLdap
com.confio.idc.ldap.LdapException: Error occurred searching for groups. (javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '') javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''

Try setting the following property in system.properties and restarting DPA:

com.confio.security.ldap.referral=follow

Logging

Authentication information and errors are logged in the following file:

{install directory}\iwc\tomcat\logs\auth.log

 

Last modified
10:53, 1 Mar 2017

Tags

Classifications

Public